Admins

Learn Salesforce Roles and Profiles in 5 Minutes (Ft. Permission Sets)

By Lucy Mazalon

Profiles, roles and permission sets work together to determine what Salesforce users can see and do inside Salesforce. I remember security & access was one of the toughest topics on the Salesforce Admin certification exam. There is no way around these concepts, as they are foundational to how Salesforce records are visible and editable. So, what are the differences between Salesforce Roles and Profiles?

While I was attempting to wrap my head around the differences between Salesforce roles and profiles, there was a simple mantra that I said to myself over and over again, and then took into the exam with me: “Roles see, profiles do”.

That is an oversimplification but it is the best way to start learning about profiles vs. roles in Salesforce. In this post, I will dive into the differences between the two concepts. Come with me as I take you on a journey into how Salesforce permissions work.

What is a Salesforce Profile?

Profiles control what users can do in your Salesforce org. This can be referred to as CRED:

  • C = create
  • R = read
  • E = edit
  • D = delete

You may want some users in your org to read and edit Leads, but not delete them. CRED enables you to mix and match what a specific user can do with each object.

See how this looks on a profile’s settings (found under the ‘Object Permissions’ section):

In addition to objects, profiles also control:

Each Salesforce user in your org has a profile. Profiles are designed to group users into functions, for example, ‘Sales’, ‘Support’ etc.

The most important profile in the org is ‘System Administrator’. Users in this profile have absolute access to do anything. In addition to CRED, they will have ‘View all’ and ‘Modify all’ selected for each object.

They will also have ultimate permissions, namely ‘Modify all data’, ‘Customize application’ that you would not want to give to any other users! (found under the ‘Administrative Permissions’ section).

What is a Salesforce Role? – and the Role Hierarchy

Let’s switch to thinking about roles, which control what users can see in your Salesforce org.

Roles are designed to increase data visibility, to open up access to Salesforce records. You will have a baseline visibility set for each object in your org, known as the ‘org wide default’ (organizational wide default, OWD). Examples of this could be:

  • Opportunities are set to ‘Private’, which means that users can only see the opportunities they own.
  • Accounts are set to ‘Public Read/Write’, so that any user can help to update account information.

You should know that there are defaults that are already set. I’m not going to dive into details on OWD right now, but I want you to remember the golden rule…

Golden rule: the ‘org wide default’ should be set to the most restrictive level. Salesforce permissions work by opening up access, not by locking them down. So, start with the strictest in mind.

There are two ways to increase data visibility via roles, essentially superseding (pushing past) the OWD:

  • The Role Hierarchy
  • Sharing Rules
READ MORE: Tips for Planning and Creating Salesforce Sharing Rules

Salesforce Roles and Profiles

There’s some confusion when a Salesforce org is using both profiles and roles. They are designed to be used together – it is not an ‘either/or’ decision.

It may help to think in different shapes. Profiles are like circles, whereas roles are arranged into a hierarchy (when using the Role Hierarchy):

Profiles are like circles of users that share the same function, eg. ‘Marketing’, ‘System Admin’, ‘Sales’, ‘Support’. Roles are how users relate to each other in a hierarchy, eg. the ‘VP of Sales’ is above the Sales Managers in the role hierarchy:

Note: Sharing Rules are used to extend the Role Hierarchy, so that you are not restricted to the strict top-down sharing as laid out in the hierarchy – in other words, Sharing Rules can enable you to open up record visibility horizontally across the hierarchy.

What’s the Difference Between a Role and Profile in Salesforce?

ProfileRole
Determines what users can...Do - create, read, edit, deleteSee - record visibility
Required for each user? X - it’s optional
Imagine in the shape of:Circles, grouping users with similar functions. Hierarchy, that splits users with more authority from those with less.
Controls access to:Objects, field-level security (which fields are visible or editable), page layouts, record types, apps, tabs.Records, folders.

What About Permission Sets? (Permission Sets vs. Profiles)

Once you have got to grips with profiles and roles, you have mastered a core Salesforce Admin concept that will serve you well. What about permission sets, then? Not another Salesforce data access concept! Fear not, I will explain the differences between profiles and permission sets quickly, and painlessly.

Permission sets could be considered add-ons for profiles. They offer flexibility in how you add certain permissions (objects, field-level security, page layouts, record types, apps, tabs) to certain users – almost like you are tagging an individual user. In order to grant a very specific ability to a user, you obviously don’t want to create a whole new profile just for that one difference between their abilities and the rest of their team’s!

Let’s take an example:

There is a sales team, who have the profile ‘Sales User’. Only Carole should be able to change the team’s email templates, so the Admin has created a Permission Set called ‘Modify Email Templates’ which she has added to Carole’s user record.

Permission sets are visible from the related list on the user’s record:

Permission sets can simply be added and removed, from ‘Available Permission Sets’ to ‘Enabled Permission Sets’ – as shown below:

You should also be aware of Permission Set Groups. These were new in the Spring ‘20 release, created to revolutionize how Admins can organize org permissions, allowing Permission Sets to be grouped together and assigned to users.

READ MORE: Introduction to Permission Set Groups in Salesforce

Summary

Profiles, roles, and Permission sets work together to determine what Salesforce users can see and do inside Salesforce. These concepts are foundational to how Salesforce records are visible and editable, and is absolutely essential knowledge in order to become a Salesforce Admin.

Now you know the differences between a Salesforce Role and Profile, plus how Permission sets come into the picture. There’s some confusion when a Salesforce org is using both profiles and roles. They are designed to be used together – it is not an ‘either/or’ decision.

Just remember the simple mantra: “Roles see, profiles do” if you’re ever in doubt.

The Author

Lucy Mazalon

Lucy is the Operations Director at Salesforce Ben. She is a 10x certified Marketing Champion and founder of The DRIP.

Comments:

    Mr. Webber
    July 28, 2020 6:56 am
    Hi Sam, great article. Thank you.
    Tessy George
    July 28, 2020 3:16 pm
    Superb article on Roles and Profiles... I would like to refer it to all my friends whenever in doubt about this topic...!
    Lucy Mazalon
    July 28, 2020 7:19 pm
    Thank you Tessy!
    Lucy Mazalon
    July 28, 2020 7:33 pm
    Thanks Tessy!
    Jaime
    July 29, 2020 12:09 am
    Very well explained. Also very clear that permission sets open permissions for specific users, not being possible to apply them to roles or profiles.
    Lucy Mazalon
    July 29, 2020 5:00 pm
    Thank you Jaime, glad you found it useful
    Virginie Gumez
    July 30, 2020 9:45 am
    Thanks ! Great article :)
    Christine Marshall
    August 05, 2020 4:03 pm
    Glad you enjoyed it!
    Shreenivas Adapur
    August 10, 2020 4:23 pm
    Great article Sam.!! One question: If OWD for an object is Public Read Only, and for a Manager's profile(Ben as Manager) in Role Hierarchy does NOT have 'Read' permission on that object. User Sam is record owner of that object. What action manager Ben can take on the user Sam's records of that object.? nothing or only read access or read & write?
    Samantha Lisk
    September 11, 2020 1:32 pm
    This is really helpful. I've been struggling to conceptualize where FLS fits into the security and sharing model, and this explanation makes it clear. Thank you!
    Samuel Lopez
    September 12, 2020 6:27 am
    This is a great article! I never knew how to explain this to other teams in our organization. I'll simply share this article with them :) Thank you!
    Divik
    September 20, 2020 11:34 pm
    great article, very nicely explained.
    Andrew S
    November 05, 2020 2:17 pm
    This is literally the only question I ask an admin during an interview and it is amazing how many certified admins can not effectively explain the difference.
    Kim Pham
    December 21, 2020 2:30 pm
    Very helpful to a newbie like me, thank you
    Marco Pierre
    February 08, 2021 8:35 am
    Best permission article ever. I finally understand this topic.
    Lucy Mazalon
    February 08, 2021 10:11 am
    Thank you very much!
    Lucy Mazalon
    February 08, 2021 10:11 am
    Thanks Kim, appreciate your feedback
    Pravallika
    February 11, 2021 4:37 am
    Thank you Sam! it really easy to understand and it helped me.
    Ninad
    April 03, 2021 6:13 pm
    Absolutely wonderful article sam...kudos to ur efforts..thanks.
    SATEESH R BAGALKOT
    April 24, 2021 1:02 pm
    Clear and made very easy to understand the concepts, thank you very much
    Carol
    May 13, 2021 9:46 pm
    Amazing article! I love it!
    Anu Mamachan
    May 14, 2021 12:35 pm
    Very very very well explained . Excellent content .Made this soo easy for me.Hurray
    Sudhansu
    May 20, 2021 2:57 pm
    Thank you Lucy. This is the best article I have read on Salesforce Roles and Permissions. This helps immensely to a newbie like me.
    sindhu
    May 24, 2021 3:07 pm
    great ...!very clear even a person new to salesforce can understand clearly.
    Amit
    June 24, 2021 7:34 pm
    Hi, 1) I have a profile similar to system admin, however I do not want the user to create/edit (should only view) roles, profiles and permission sets. Which permission would be useful to restrict this 2) I have a profile similar to system admin, however I do not want the user to create/edit (should only view) roles, profiles and permission sets. Should also be not able to create object/ fields. Which permission would be useful to restrict this 2) User should only have access to Object Manager, but should not have permission to create roles, profiles, permission sets etc. Which permission should be granted 3) User should only have "View" access to Object Manager. Should not be able to create objects, fields etc - Can we do this ?
    Nicole Dawes
    July 16, 2021 6:53 pm
    Hey Amit! You should check out Strongpoint - their solution gives you several tools for managing access control in your Org on an ongoing basis. You can easily identify and consolidate similar profiles to cleanup and prevent unauthorized access or build intelligent policies to alert you when things change. You can even review access by Object or conduct detailed reviews of access and permissions by User. Check it out here: https://www.strongpoint.io/salesforce-access-management
    Tayor Murray
    August 24, 2021 11:34 am
    Explained it better to me than Trailhead, thank you! Great for prepping for the exam.
    Amit
    August 24, 2021 11:45 am
    Read access only
    Wael S Ibrahim
    August 27, 2021 4:12 pm
    Absolutely great article thank you one question how in real life A group of Salesforce Administrators coherently work in a large organization to setup, maintain and secure the company's org account without overriding each other and properly auditing the work?
    ABC
    November 21, 2021 6:21 am
    Thanks for information about profiles ,roles and permission sets.
    Flavio Siva
    November 25, 2021 3:20 am
    The best article! Congrats!
    Claire Jones
    November 29, 2021 7:37 am
    Great explanation - have just forwarded the article to my mentee :-)
    Yogesh
    December 26, 2021 8:33 am
    Great explanation!
    Hendri S
    February 25, 2022 12:05 pm
    hi thanks for expalin is really clear, i just want to ask about how can i create alert when some profile made or changes access.? thanks
    Ross
    March 25, 2022 1:28 am
    I really really wish I had found this before I got certified. This was the hardest thing to wrap my head around. Awesome article. So clear.
    Christine Marshall
    March 25, 2022 9:44 am
    Thank you for the great feedback!
    Gajanan
    May 08, 2022 2:37 pm
    Thanks For the Article, Explained in too easy format, Liked it, cleared all my doubts...
    Hema Lohakare
    June 15, 2022 11:25 am
    Thanks for this great Article you shared with us. It help me to clear my doubts and concepts. Thank you once again
    Anil kumar Reddy
    June 17, 2022 4:21 am
    Good Explanation straight to the point without any confusion .I understood very well ! Thank you
    Eddie Pascual
    June 20, 2022 5:41 pm
    Super clear with great images. Thank you!
    Christine Marshall
    June 21, 2022 10:27 am
    Thanks for reading!
    Ajeet
    July 09, 2022 8:32 am
    Hi Lucy It's a really great artical that you write. It's clear my doubt regarding to Profile, Permission Set and Roles. I love your Mantra "Profile can do and Roles can see." Thanks
    Otto
    July 10, 2022 1:13 am
    I can't thank you enough for writing this article
    Ashley
    July 16, 2022 6:45 pm
    This was so helpful! Thank you.
    Tolulope Wayns
    July 26, 2022 7:36 am
    You provided so much clarity in an easy-to-remember format. Thanks.
    Christine Marshall
    August 03, 2022 12:46 pm
    Thanks for reading!
    Karen McKinney
    August 14, 2022 9:49 pm
    Your explanation and visuals are brilliant. I'm taking the Salesforce Administrator Exam tomorrow. I will walk with a smile on my face as I keep saying your mantra for roles and profiles in my mind.
    Christine Marshall
    August 15, 2022 10:38 am
    Thanks for your wonderful feedback and good luck with your exam!
    Rushika pawar
    August 18, 2022 4:44 am
    Hi Lucy please share for owd as well. Thankyou for this blog
    Christine Marshall
    August 19, 2022 10:58 am
    We have an article on OWD coming soon!
    Ashish Diwate
    August 20, 2022 6:44 pm
    Thanks a lot Lucy , It Will help me for my Salesforce administration Exam , simply wonderful explanation.
    Falcon
    August 26, 2022 5:21 pm
    Thanks for wonderful information. It opened my mind about profiles vs roles.
    zahoor
    October 11, 2022 5:21 am
    Its Awesome!
    Yeside
    October 12, 2022 5:52 pm
    Thank you! Just had a request from user A to see the same things as user B, they have different profiles. What I have done is given User A the same Role as user B.
    Betty
    November 07, 2022 11:00 am
    Thank You @Lucy Mazalon and @Christine for this breakdown of Access to Permissions and Roles. I feel like I understand better, what I am learning in My Trailhead process.
    Joel
    January 18, 2023 10:32 pm
    Hi Team, with the changes coming on Permission Sets vs Profiles, will you be doing an article about that? Thanks for providing such great content.
    Christine Marshall
    February 10, 2023 2:49 pm
    You can stay up to date on the changes in our article here: https://www.salesforceben.com/salesforce-to-retire-permissions-on-profiles-whats-next/
    Nate
    March 07, 2023 11:53 pm
    Any time users need to edit records, does that automatically require Sharing Rules to be configured on Profiles instead of Roles?
    Leo da Silva
    March 15, 2023 10:07 pm
    Excellent article. Thanks. :-)
    SoundofText
    January 05, 2024 3:07 pm
    Great clarification on roles and profiles in Salesforce! As a beginner, I find it hard to understand the complex hierarchy and permissions. The example with permission sets is extremely helpful in visualizing how it all works. Thanks for breaking it down in a simple and easy-to-understand manner!

Leave a Reply